[squid-users] Squid and DMZ

From: <[email protected]>
Date: Wed, 21 Aug 2002 08:31:18 -0600

I have read the blurb.

"Testing Intranet Access
If you have a proxy-based firewall, Squid should be configured to pass
outgoing requests to the proxy running on the firewall. This quite
often presents a problem when an internal client is attempting to
connect to an internal (Intranet) server, as discussed in section
2.2.5.2. To ensure that the acl-operator lists created in section
2.2.5.2 are working, you should use client to attempt to connect to a
machine on the local network through the cache.
cache1:~ $ client -h cache1.domain.example -p 3128
h**p://www.localdomain.example <h**p://www.localdomain.example>
If you didn't get an error message from a command like the above,
access to local servers should be working. It is possible, however,
that the connection could be being passed from the local cache to the
parent (across a serial line), and the parent could be connecting back
into the local network, slowing the connection enormously. The only way
to ensure that the connection is not passing through your parent is to
check the access logs, and see which server the connection is being
passed to."

Yet I am still having quite a performance issue with our web server
that is in the DMZ.

Internal Net------> --------> DMZ ---------> ----> Internet
                  | |
                  | |
                  | |
                  | |
                  |-->Web server-->Squid-->|

I have the Internal Network reach Squid Cache and resolving to the
internet fine, although when people want to hit our webserver the
connection is enormously slow.

I need to speed up the connection to our own webserver.

I thought that the squid was somehow resolving to our external IP for
the Web Server so I wrote a SNAT to direct port 80 from our Squid cache
to resolve to the internal IP of the Squid Proxy.
        iptables -t nat -A POSTROUTING -o eth0 -d External-IP -j SNAT --
 to Internal-IP This didn't seem to help.

The connection clients are IE 6.0 to IIS 5.0

I could use the help.

Cisco PIX DMZ design.

Greg Gerritsen
Network Administrator
Ruffneck Heaters
Received on Wed Aug 21 2002 - 08:38:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:46 MST